Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • SSSD Kerberos AD authentication troubleshooting?

    Posted on

    Hi all,

    I'm trying to set up a kickstart that includes registering in the local AD.
    I have managed to get it working with my trialruns using CentOS7.
    Including using a dedicated KeyTab to register the machine.

      /sbin/realm join --verbose --computer-ou="...." example.com

    But when I started with a RHEL7 server intended for live use the KeyTab does not work for joining the realm and when I join it manually (with -U ) I can't log in to the new server using my AD user.

        /sbin/realm join -U sysUser@EXAMPLE.COM --verbose --computer-ou="...." example.com

    I have verified that the sssd.conf and krb5.conf have the same settings.
    Actually every setting I can think of is the same between the two Machines.
    I tried setting SELinux to permissive mode but it did not help either.

    I can use kinit to authenticate from the cli:

    ]$ kinit -V  myUser@EXAMPLE.COM
Using default cache: /tmp/krb5cc_1000
Using principal: myUser@EXAMPLE.COM
Password for myUser@EXAMPLE.COM:
Authenticated to Kerberos v5
]$

    but the sssd service says:

    ]$ sudo systemctl status sssd -l
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Mon 2018-03-05 18:22:42 CET; 1min 33s ago
 Main PID: 682 (sssd)
   CGroup: /system.slice/sssd.service
           ├─682 /usr/sbin/sssd -i -f
           ├─771 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --debug-to-files
           ├─924 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─925 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Mar 05 18:23:57 my-host@example.com sssd[be[example.com ]][771]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1
Mar 05 18:23:57 my-host@example.com sssd_be[771]: GSSAPI client step 1

    /var/log/sssd/sssd_example.com.log is huge even on log-level 3 but this part stands out:

    (Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)]
(Mon Mar  5 18:22:44 2018) [sssd[be[example.com]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158226]: Authentication Failed

    Can anyone give me some idea of where I should continue searching?

    Thanks.

    Regards,
    //Samuel

    by

    points

    Responses

    Red Hat

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat, Inc.